PoPIA: Why you should be thinking about “privacy by design.”

With the deadline for implementation South Africa’s Protection of Personal Information Act (PoPIA) looming should we be thinking about the principles of Privacy by Design.

What is Privacy by Design

Privacy by Design is a system design principle that seeks to ensure that personal data is protected by default. In other words, the privacy of an individual remains intact even if they do nothing to protect it.

The seven principles of privacy by design include:

  1. Design for prevention, not remediation

This means that potential breaches should be anticipated and appropriate protections should be put in place, by design, to avoid any such breach. This principle protects organisations from privacy issues that could hurt the company’s reputation, or, under PoPIA subject it to potential penalties

2. Privacy as the default

This means that personal data is automatically protected (for example by encryption, masking and access controls) in any system or business practice. NO additional steps are required to be taken in order to secure data.

3. Embed privacy into the design

This basically means that privacy related capabilities should not detract from the functionality and usability of the system and should be considered as integral to the user experience.

4. Fully functional

Again, the business scope of the system should not be compromised to deliver privacy. Privacy requirements should be accommodated / added with compromising the function of the system, and visa versa

5. Lifecycle protection

Information must be secure and protected throughout its lifecycle – from the point of initial data capture all the way through to its final destruction

6. Visibility and transparency

Users and other stakeholders must be able to understand how personal data moves through your system(s). This mean not only understanding data lineage, but also having clarity as to who is using data in different places, and for what purposes, as well as levels of security provided to different users and use cases. This clarity is critical for accountability and governance

7. Respect

At the core of Privacy by Design is the recognition that the privacy of your customer’s data should be your primary concern.

So is Privacy by Design required?

Privacy by design is explicitly mentioned by Europe’s Global Data Protection Regulation (GDPR) but is not explicitly required by PoPIA.

So why think about it if PoPIA is your only concern?

Well, designing for privacy reduces the risk to your business, your reputation and, hopefully most importantly, it reduces the risk to your customer that their data will be compromised whilst under your care.

For new systems, this should be considered as a default option. Good design should ringfence personal data using a combination of role based access controls, encryption and masking to ensure that only staff with a genuine need to access the data are able to do so. When purchasing an off-the-shelf system (thinking of a new ERP or CRM for example) it makes sense to ensure that any new systems purchased follow privacy by design principles.

For older / existing systems implementing privacy by design principles may be harder.

A privacy audit will identify privacy weak-points and allow you to plan new, user-friendly solutions to address them. From a PoPIA perspective there is no urgency to address these. However, as the biggest threat to personal privacy is internal data leaks, it makes business sense to phase privacy by design features into existing systems over time, beginning with those that present the greatest risk of exposure.

You should be thinking about privacy by design